Tuesday, 22 November 2016

Using ZAP during the development process is now easier than ever. We are proud to present the Jenkins plugin, it extends the functionality of the ZAP security tool into a CI Environment.

The process explained

A Jenkins CI Build step initializes ZAP

Traffic flows (Regression Pack) through ZAP (Web Proxy)

ZAP modifies requests to include Vulnerability Tests

Target Application/Server sends Response back through ZAP

ZAP sends reporting data back to Jenkins

Jenkins publishes and archives the report(s)

Jenkins creates JIRA tickets for the alerts

The ZAP Jenkins plugin makes use of the readily available and diverse ZAP API, allowing you to use the same session files and scan policy profiles between ZAP and the Jenkins plugin, so they can be interchangeably loaded.

So what can you do?

Automate the site mapping process with a selenium script, have ZAP act as an intercepting proxy to map the structure of your site and record passive alerts. Fire off an active scan and finish it off by generating a report in one of three available formats (xhtml, xml or json). These can be sent off to management or you can load the session later and inspect each raised alert at your convenience.

Providing a seamless workflow and the same functionality as the GUI. You can

Manage Sessions (Load or Persist)

Define Context (Name, Include URLs and Exclude URLs)

Attack Contexts (Spider Scan, AJAX Spider, Active Scan)

You can also:

Setup Authentication (Form Based or Script Based)

Run as Pre-Build as part of a Selenium Build

Generate Reports (.xhtml, .xml, .json)

All while giving you all the benefits of Jenkins to automate the process. Scan between build and deployment all from taking advantage of the automation server.

Where we go from here...

We plan to extend the authentication method to allow authenticated AJAX Spider Scans and support HTTP/NTLM Authentication. To further the continuous integration process, we will be adding Build Management tools in the near future which will allow you to set the thresholds that will determine a builds pass or failure. But we’re not stopping here, we will be continuously advancing our API to meet the needs of community requests for the Jenkins Plugin.

We will work with our community, taking advice and feedback to improve and support this plugin in the short and long term.